As you may have seen in the news, a vulnerability has been discovered that allows attackers to break the security of most wireless networks using Key Reinstallation Attacks (KRACK).
We strongly advise you to ensure the latest updates are applied to all devices that access or provide wireless network connectivity. Android smartphones are currently at greatest risk, but it is recommended to patch all brands of smartphones, tablets, workstations and wireless access points. Many vendors have already provided patches and more are working to resolve the issue as soon as possible.
What’s the issue?
KRACK is an exploit that allows attackers within close physical proximity of a wireless network to break WPA2 encryption and eavesdrop on transmitted data; this can be the websites you visit, usernames and passwords you enter, credit card details you use and emails you send. The most common attack that exploits this vulnerability focuses on Man-in-the-Middle techniques, during which an attacker intercepts the web traffic between a target and the internet, allowing unauthorised access to sensitive data as well as the injection of attacks into the web pages the client accesses.
This means that an attacker could create a fake webpage for a popular online shopping site and steal the data you send to it; they could make files you download contain a virus or even redirect you to webpages with content that’s either malicious or offensive. This newly discovered vulnerability is present in the fundamental design of WPA2, meaning most wireless devices are at risk, however the attacker has to be physically near the device and network it’s connected to and so the attack can’t be conducted over the internet (like with WannaCry).
What’s the impact?
Currently Linux-based systems are the most heavily impacted. As Android is built on Linux, approximately 41% of all Android devices are currently vulnerable. Additionally, Windows and Mac OS systems are affected to some extent, as well as most wireless access points (such as your home internet router or Coffee shop Wi-Fi). Attacks taking advantage of this vulnerability haven’t been seen in the wild, and tools allowing them to be reliably conducted aren’t publically available – but this is likely to change as more information is released. A number of vendors were informed of the issue in July, meaning a large number of wireless access points (including Cisco, Ubiquiti and Juniper appliances) already have patches available, however it’s advised to check with vendors for patch availability.
What next steps should I take?
The key next step is to update wireless devices. It is advised that end user devices such as smartphones and workstations (especially laptops) are updated first, followed by wireless access points, then tablet PC’s and any other wireless devices. For many devices, it’s as simple as opening the App Store or Windows Update console and clicking “update”. For wireless access points, this will need to be done by logging onto the management interface. Servers and general network infrastructure other than wireless access points should not be vulnerable, as they are unlikely to have the necessary hardware installed for wireless network connectivity – however please ensure that a thorough review of what devices are in scope is conducted when carrying out patching.
In addition to this, use the following good security practices:
- Use wired network connections where possible
- For smartphones, use mobile data rather than Wi-Fi. Additionally USB Tethering, during which you plug your smartphone into your laptop to share its internet connection, will also help avoid the issue
- Only send sensitive information (such as passwords and bank details) over secure connections. Look for websites that have “HTTPS” at the start of their URL or that have a green padlock in the top left of the web browser
- Use a VPN (Virtual Private Network) when working remotely if your organisation provides this service
We are currently monitoring key vendors for updates and we will provide further guidance as more information becomes available below.
From Microsoft as per article below: "Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates." Source
As per article referenced below: “Google, which develops the Android software that runs on the majority of smartphones, said it would release a patch on November 6. However, since Android manufacturers have to release their own security updates, it may be months until some phones are safe, and others may never be secured.” Source